[webkit-gtk] Fix CVE-2023-32435 for webkitgtk 2.38.6
Michael Catanzaro
mcatanzaro at redhat.com
Thu Sep 7 05:41:29 PDT 2023
On Thu, Sep 7 2023 at 11:29:58 AM +0800, 不会弹吉他的KK
<kai.7.kang at gmail.com> wrote:
> For Yocto project whick I am working on, packages(recipes) can NOT be
> updated with
> major version upgrade on Yocto released products/branches. So we
> still have to fix such
> kind of CVEs. But for master branch, webkitgtk will be upgraded as
> soon as it released.
I'm going to recommend a different approach: don't fix any CVEs and
instead prominently document that the version of WebKitGTK distributed
by Yocto does not receive security updates. It's really better to avoid
misplaced expectations; when you backport security fixes, people assume
incorrectly that the package is receiving comprehensive security
backports and is safe to use, but that's just not true. i.e. your
security updates actually harm security because they mess up users'
expectations. It's better to just be clear about it. We have this same
problem in RHEL and are slowly moving towards doing no updates there as
well.
I would recommend removing WebKitGTK and its dependencies from Yocto
altogether if they have rules that prohibit you from releasing proper
security updates just because the version number is higher. Anyway,
good luck.
Michael
More information about the webkit-gtk
mailing list